Subject: Re: Off-topic: Dumb IPNAT question
To: None <email@example.com, firstname.lastname@example.org>
From: Sean Doran <email@example.com>
Date: 06/16/1998 13:24:25
Erik Fair wrote:
| NAT is Evil, because it violates the End-to-End model that the Internet was
| built on: smart ends, stupid middle
This model turns out to be inappropriate for the modern Internet.
Unfortunately the "smart ends" philosophy has broken down in the
face of stupid behaviour by the end systems:
-- vast amounts of extremely short, parallel TCP sessions
-- overagressive (broken) TCP implementations which do not
back off sufficiently in the face of congestion
(manifested by packets being dropped)
-- non-TCP protocols that do not back off sufficiently
in the face of congestion
-- para-anonymous denials-of-service attacks (direct or
-- inefficient and expensive transactions when equivalent
transactions may be performed less expensively
(e.g., talking to WWW servers in the Seychelles when
the content is mirrored in a nearby caching hierarchy)
-- lack of adaptability to changes in network topology
moreover, the ends have been asking for an extension of the
service model offered by the middle, and there is no means of
offering the sorts of models that people like Van Jacobson
proposes with his Premium Service, or Dave Clark proposes with
his Assured Service.
I find it ironic that the people who invented the "stupid middle"
model, and who deployed the first several instances of it are
proponents of a scheme in which a reservations manager is a requirement
and policing and shaping traffic, and applying intelligent queueing
disciplines, is essential.
Although an "intelligent middle" with a policing scheme that
rewards congestion avoiding transmitters and penalizes others
preserves TCP behaviour as the stability mechanism for the
Internet in terms of response to changing traffic patterns,
it does nothing to address the last three points.
Modern NATs (meaning a combination NAT, ALG and intrusive cache)
address these issues now. They are imperfect, but work sufficiently
well that they are widely deployed to absorb most of the shock
of renumbering hosts, reducing link utilization by directing
WWW queries to a local cache, and by requiring that outgoing packets
are stamped with a valid source address.
That you don't like them is largely a religious issue.
Hopefully your religion does not blind you to their widespread
deployment and perceived utility to network administrators.
| with particular emphasis on the middle
| just moving the bits correctly, and not trying to second-guess the
| applications (server and client) on the ends. You can imagine what happens
| when a second-guessing middle guesses wrong...
We can see now what happens when a misbehaving end system makes
portions of the Internet unusable for others. There is no fairness
whatsoever in a pure "stupid middle" argument.